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Author's Abstract 

A method is described for proving "always possibly" properties of specifi- 
cations in formalisms with linear-time trace semantics. It is shown to be 
relatively complete for TLA (Temporal Logic of Actions) specifications. 
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1 Introduction 



Does proving possibility properties provide any useful information about a 
system? Why prove that it is possible for a user to press q on the keyboard 
and for a q subsequently to appear on the screen? We know that the user can 
always press the q key, and what good is knowing that a q might appear on 
the screen? Isn't it enough to prove that no q appears on the screen unless a 
q is typed (a safety property), and that, if a q is typed, then a q eventually 
does appear (a liveness property)? 

Although possibility properties may tell us nothing about a system, we 
do not reason about a system; we reason about a mathematical model of 
a system. A possibility property can provide a sanity check on our model. 
Proving that it is always possible for a press(q) action to occur tells us 
something useful about the model. In general, we want to prove that a 
model allows the occurrence of actions representing events that the system 
cannot prevent. 

We present a method for proving that it is always possible for some 
state or action eventually to occur. This is the simplest class of possibility 
properties and seems to be the most useful. (The simpler requirement that 
it is always possible for an action to occur may also be useful, but it just 
asserts that the action is always enabled, so it is a safety property and 
not a possibility property.) We first describe the general approach, which 
applies to any formalism with a linear-time semantics. We then show how 
the method is used with TLA, the Temporal Logic of Actions [8], and prove 
a relative completeness result. 

Possibility properties pose no problem in formalisms based on branching- 
time semantics [4]. However, it is impossible to assert in linear-time temporal 
logic that something is always possible [6]. It is therefore not obvious how 
to prove possibility properties in the formalisms that we consider, which are 
based on linear-time semantics. 

We are concerned with proofs, not finite-state model checking. Model 
checking begins by writing (or rewriting) a specification as a transition sys- 
tem. A finite-state linear-time specification should yield the same transition 
system as the corresponding branching-time specification, and hence the 
same model checking algorithm. 
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2 Possibility and Closure 



2.1 Closure and Safety 

We begin by reviewing some basic concepts of linear-time temporal logic [10]. 
A behavior is an infinite sequence of states or of events — for now, it doesn't 
matter which. The meaning [II] of a temporal-logic formula II is a Boolean- 
valued function on behaviors. We say that the behavior a satisfies II iff 
(if and only if) [II] (er) equals TRUE. Formula II is valid, written |= II, iff 
every behavior satisfies II. To use temporal logic to specify (a mathematical 
model of) a system, we consider states to represent possible system states 
and events to represent possible system actions, so a behavior represents a 
conceivable execution of a system. A system is specified by a formula II 
that is satisfied by precisely those behaviors that represent a legal system 
execution. 

Boolean operations on formulas are denned in the obvious way; for ex- 
ample, [n A $](cr) = [n](cr) A [$](cr). We define DII to be the formula 
that is satisfied by a behavior a iff every suffix of a satisfies II, and we 
define Oil to be satisfied by a iff some suffix of a satisfies II. The opera- 
tors □ and O are read always and eventually, respectively. We define by 

tw $ = n(n o$). 

Let S°° be the set of all behaviors, let S* be the set of all finite behaviors 
(finite prefixes of elements of S°°), let "•" be concatenation of sequences, and 
let p C a mean that p is a nonempty finite prefix of the behavior a. The 
closure C(H) of a formula II is denned by 

[C(n)](a) 4 Mp c a : 3r 6 S°° : [11] (p • r) (1) 

where V/? C a is universal quantification over all finite prefixes p of a. Thus, 
a behavior a satisfies C(II) iff every finite prefix of a can be extended to a 
behavior that satisfies II. The following proposition follows easily from (1). 

Proposition 1 For any formulas II and <3?: 

1. |=n^c(n) 

2. |= n $ implies \= C{U) => C($) 

A safety formula is one that equals its closure. Thus, a safety formula 
II is satisfied by a behavior a iff every prefix of a can be extended to a 
behavior satisfying II. Intuitively, a safety property II constrains only the 
finite behavior of a system — any behavior that fails to satisfy II fails at some 
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specific instant. More precisely, II is a safety property (equals its closure) 
iff 

V<7 G S°° : [-.n](a) = 3p C a : Vr G S°° : [-n](p • r) (2) 
2.2 Possibility 

We now define a class of possibility properties and relate them to closure. 
The properties are of the form always possibly P, meaning that at all times 
during an execution of the system, it is possible for P eventually to become 
true. In linear-time temporal logic, it is impossible to write a formula whose 
meaning is always possibly P [6]. However, for any particular system, we 
can write a formula asserting that always possibly P holds for behaviors 
of that system. More precisely, we can define a formula P n (P) such that 
always possibly P holds for the system specified by II iff P n (P) is valid. 

Intuitively, always possibly P holds for a system iff, at any point during 
any execution of the system, it is possible to choose some particular way of 
continuing the execution that makes P eventually hold. In other words, if p 
is the prefix of a behavior satisfying the system's specification II, then there 
exists a behavior r such that p ■ r satisfies II, and P holds at some point in 
r. We can therefore define P n (P) by 

[P n (P)](a) 4 [n](a)^V P Ca : 3r : [II](p ■ r) A [OP](r) (3) 

Our method of proving possibility properties is based on the following result. 
It and all subsequent propositions are proved in the appendix. 

Proposition 2 // -P is a safety property, then 

|= (C{U)=>C{C{U)AnoP)) => P n (P) 

We will use this result when [P](er) depends only on the first one or two 
elements of a. By (2), ->P is a safety property for such a P. 

3 Proving Possibility Properties in TLA 
3.1 TLA 

To apply Proposition 2, we need to compute closures. One can write TLA 
specifications in a way that makes computing the closure easy. We now give 
a thumbnail review of TLA; see [8] for a real explanation of the logic. 

In TLA, behaviors are infinite sequences of states, where a state is an 
assignment of variables to values. We let S be the set of all states. Formulas 
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are built from actions, Boolean operators, and the temporal operator □. An 
action is a Boolean expression containing primed and unprimed variables. 
For states s and t, we define [j4](s, t) to equal true iff A holds with values 
from s substituted for unprimed variables and with values from t substituted 
for primed variables. We consider action A to be a temporal formula by 
letting {A](s 0 , si, s 2 , . . .) equal {A](s 0 , si). 

A state predicate P is an action with no primed variables; we write [P](s) 
instead of [P](s, t), which is independent of t. For an action A, we define 
the predicate Enabled A by [Enabled Aj(s) = Bt 6 S : {Aj(s, t). A state 
function is a nonBoolean expression containing no primed variables. For 
any state function v, we let [A] v = A V (v' = v) and {A) v = A A (?/ / v), 
where v' is the expression obtained by priming the free variables in v. 

The canonical form of a TLA formula is Init A □[iV]„ A F, where Init is 
a state predicate, iV an action, v a state function, and F the conjunction of 
formulas of the form WF V (A) (weak fairness) or SF W (^4) (strong fairness), 
with 

WF W (^) = DO^Enabled (A) v V nO{A) v 
SF V (A) = OD^Enabled (A) v V aO(A) v 

For example, a system that starts with x and y both 0, and repeatedly either 
increments x by ±1 or, if a; equals 0, increments y by ±1, is specified by the 
following formula Yixy. 1 

Nxy = V A x' € {x + 1, x - 1} 

A y' = y 
V A x = x' = 0 

A y'eO, + 1,1,-1} 
Ilxy = (x = y = 0) A n[Nxy] {Xjy) A WF { ^ y) {Nxy) 

The fairness condition WF^ x ^ y ^(Nxy) asserts that the system never stops. 

TLA also has an operator 3 , where Bx : H is essentially LT with variable 
x hidden. The system specified by 3 x : II satisfies a possibility property iff 
LT does — assuming x does not occur free in the property — so we ignore the 3 
operator here. Using 3, we can express P n (P) and C(II) as TLA formulas, 
for any formulas LT and P. Propositions 1 and 2 can then be proved by 
temporal-logic reasoning. 

Closures of TLA formulas are computed using the following result. 



1 A list of formulas bulleted with A or V denotes the conjunction or disjunction of the 
formulas; indentation is used to eliminate parentheses. Angle brackets enclose tuples. 
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Proposition 3 If Init is a state predicate, M and N are actions such that 
M implies N, and F is the conjunction of countably many formulas of the 
form WF V (A) and/or SF V (A), where each (A) v implies M, then 

C{Init A a[N] v A Oa[M] v A F) = Init A a[N] v 

Since DII implies ODII, for any II, substituting Nxy for both iV and M 
in the proposition proves that C(Hxy) = (x = y = 0) A n[Nxy}^ x ^y For 
M = N, Proposition 3 is a special case of Proposition 2 of [1]. 

A formula of the form Init A □[iV]„ A F is called machine closed [1] if 
its closure equals Init A □[iV] u . Proposition 3 implies that such a formula is 
machine closed if F is the conjunction of fairness conditions for actions that 
imply N . Machine closure means that F does not rule out any finite prefixes 
of behaviors. It can be argued that any specification that models a real 
implementation should be machine closed, and that possibility properties 
need be proved only for a model of an implementation, not for a high-level 
specification. 

3.2 The Proof Method 

We now show how to use Propositions 1, 2, and 3 to prove possibility 
properties of the form P n (P) for a state predicate P, where II equals 
Init A 0[N] V A F, and C(II) equals Init A □[iV]„. For any action A, for- 
mula P n (^4) is equivalent to P n (Enabled ([N] v A A)). Hence, our method 
can be used to prove properties P n (^4) for arbitrary actions A. 

To prove P n (P), we find an action M and a conjunction G of fairness 
properties such that 

Init A U[N] V A OD[M]„ A G OOP (4) 

and for which we can use Proposition 3 to prove 

C(Init A a[N] v A Oa[M] v A G) = Init A a[N] v (5) 

We then deduce P n (P) as follows. 

1. Init A a[N] v A Oa[M] v A G Init A a[N] v A OOP 
Proof: (4). 

2. Init A a[N] v C(Init A a[N] v A OOP) 
Proof: (5) and part 2 of Proposition 1. 

3. Q.E.D. 

PROOF: By Proposition 2, since Init A 0[N] V = C(U). 



5 



For example, to prove ^ Uxy (y = 17), we take 

M = V A ((x > 0) A (x' = x - 1)) V ((x < 0) A (x 1 = x + 1)) 
A y' = y 
V A x = x' = 0 

A ((y > 17) A(y' = y- 1)) V ((y < 17) A {y> = y + 1)) 

and let G be WF^ ^^M) To prove (4), we use the TLA rules from Figure 5 
(page 888) of [8]. 

We now show that this proof method is complete relative to non-temporal 
reasoning about actions. This means that if all the necessary valid action 
formulas can be proved, then every valid formula P n (P) is provable. We 
write h * to mean that formula * is provable from Propositions 1, 2, and 3 
and the rules in [8]. 

Our results assume that valid actions in some class of expressible formu- 
las are provable. We assume that expressible terms and formulas are closed 
under the operations of first-order logic (conjunction, quantification, etc.), 
priming, forming tuples, and primitive recursive definitions. Relative com- 
pleteness results for programming logics are generally based on some form 
of predicate transformer analogous to the sin operator of [7]. For any action 
A and state predicate P, the state predicate sin(A, P) can be defined by 

lsin(A,P)](s) 4 ^ (6) 

3so, • • • i s n ^ S : (s = s n ) A[P](« 0 ) A(Vi < n : lA]{ 8i , s i+1 )) 

for all states s. We first show completeness of the TLA rules for proving 
invariance properties. 

Proposition 4 For any predicates I and Init, state function v, and action 
N, if 

1. Every valid expressible action formula is provable. 

2. I, Init, v, N, and sin([N] v , Init) are expressible. 

3. |= Init A a[N] v □/ 
then h Init A n[N] v 

Proposition 4 is essentially the TLA version of the classical completeness 
results for Hoare logics [3]. We use it to show completeness of our method 
for proving possibility properties: 
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Proposition 5 // 

1. Every valid expressible action formula is provable. 

2. P, Init, v, N, and sin([N] v , Init) are expressible. 

3. h C(n) = Init A U[N] V 

4- |=P n (P) 
then hP n (P). 

4 Conclusion 

Proving possibility properties provides a way of checking that the mathemat- 
ical models we make of our systems are sensible. For real time specifications, 
an important possibility property is nonZenoness, which asserts that it is 
always possible for time to advance. The relation between possibility and 
closure was first observed for nonZenoness in [1]. Our method generalizes a 
method described there for proving nonZenoness. 

Propositions 1 and 2 are independent of TLA. They can be used for 
proving possibility properties in any trace-based specification method for 
which closures can be computed. It is easy to compute closures when speci- 
fications are written as certain kinds of transition systems. For example, the 
closure of (the temporal-logic formula corresponding to) a Biichi automa- 
ton [2] with a strongly connected state graph is the automaton obtained by 
making every state an accepting state. The closure of a specification writ- 
ten as a state transition system [5, 9] is obtained by removing the fairness 
properties, if those properties are expressed as fairness conditions on tran- 
sitions. We do not know of any practical method for computing the closure 
of arbitrary temporal-logic formulas, or of transition systems with arbitrary 
temporal formulas as fairness requirements. We do not know how to prove 
possibility properties for traditional temporal- logic specifications [10]. 

Acknowledgments 

Martin Abadi and Stephan Merz pointed out mistakes in the text of an 
earlier version. Fred Schneider suggested some improvements to the presen- 
tation. 



7 



References 



[1] Martin Abadi and Leslie Lamport. An old-fashioned recipe for real 
time. ACM Transactions on Programming Languages and Systems, 
16(5):1543-1571, September 1994. 

[2] Bowen Alpern and Fred B. Schneider. Recognizing safety and liveness. 
Distributed Computing, 2(3):117-126, 1987. 

[3] Krzysztof R. Apt. Ten years of Hoare's logic: A survey — part one. 
ACM Transactions on Programming Languages and Systems, 3(4):431- 
483, October 1981. 

[4] E. Allen Emerson. Temporal and modal logic. In Jan van Leeuwen, ed- 
itor, Handbook of Theoretical Computer Science, volume B, chapter 16, 
pages 995-1072. Elsevier and MIT Press, Amsterdam and Cambridge, 
Massachusetts, 1990. 

[5] Simon S. Lam and A. Udaya Shankar. Specifying modules to satisfy 
interfaces: A state transition system approach. Distributed Computing, 
6(1):39 63, 1992. 

[6] Leslie Lamport. 'Sometime' is sometimes 'not never': A tutorial on 
the temporal logic of programs. In Proceedings of the Seventh Annual 
Symposium on Principles of Programming Languages, pages 174-185. 
ACM SIGACT-SIGPLAN, January 1980. 

[7] Leslie Lamport, win and sin: Predicate transformers for concur- 
rency. ACM Transactions on Programming Languages and Systems, 
12(3):396-428, July 1990. 

[8] Leslie Lamport. The temporal logic of actions. ACM Transactions on 
Programming Languages and Systems, 16(3):872-923, May 1994. 

[9] Nancy Lynch and Mark Tuttle. Hierarchical correctness proofs for dis- 
tributed algorithms. In Proceedings of the Sixth Symposium on the Prin- 
ciples of Distributed Computing, pages 137-151. ACM, August 1987. 

[10] Zohar Manna and Amir Pnueli. The Temporal Logic of Reactive and 
Concurrent Systems. Springer- Verlag, New York, 1991. 



8 



Appendix 



We now prove Propositions 2-5. The proofs use a hierarchical style in which 
the proof of statement is either an ordinary paragraph- style proof or the 
sequence of statements («+l)l, (« + l)2, ... and their proofs. We recommend 
reading proofs top-down — reading the proof of a level-/; step by first reading 
the level-(A; + l) statements that form the proof, together with the proof of 
the final Q.E.D. step, and then reading the proofs of the level-(A; + l) steps 
in any order. 

A.l Proof of Proposition 2 

To prove the proposition, we must prove that if a behavior a satisfies C(H) =4> 
C(C(n) A nOP), then it satisfies P n (P). By the definition (3) of P n (P), 
the proposition is proved as follows. 
Assume: 1. [II] (a) 

2. [C(n) C(C(U) A □OP)I(ct) 
PROVE: Vp C a : 3t : [II] (p • r) A [OP](r) 

(1)1. VpCa : Br/GS- : [C(II)](p • r/) A [DOP](p • rj) 

(2)1. [C(n)(a)] 

Proof: Assumption 1 and part 1 of Proposition 1. 

(2)2. C(C(n) A DOP)(ct) 

PROOF: (2)1, assumption 2, and the definition of =4> for temporal for- 
mulas. 

(2)3. Q.E.D. 

PROOF: (2)2, (1), and the definition of A for temporal formulas. 
(1)2. Vp C a : 3£ G S* : A 30 € S°° : [II] (p 

A V X GS- : [OP](£- X ) 

(2)1. VpGS*,? ? GS 00 : pOP]{p ■ V ) ^ 3 m , m : V = Vi • m A {P\{m) 
PROOF: By definition of □ and O. 

(2)2. M m G S°° : {Pj( m ) 3 m C T)i : V% G S°° : [P]fo 3 ■ x) 

PROOF: By the hypothesis that -*P is a safety property and (2) (sub- 
stituting -iP for II). 

(2)3. VpeS*,r,6S» : [DOP](p ■ v ) 3£ 1= V : V X G S°° : [OP](£- X ) 
PROOF: By (2)1, (2)2, and the definition of O, taking rji • 773 for £. 

(2)4. VpGS^GS-^C?? : [C(II)](p • r/) 30 G S°° : [II](p-£-0) 
PROOF: By the definition (1) of C. 

(2)5. Q.E.D. 



9 



Proof: (1)1, (2)3, and (2)4. 
(1)3. Q.E.D. 

PROOF: By (1)2, letting r be £ • <f> and instantiating x with cj). 
A. 2 Proof of Proposition 3 

We prove the proposition for the special case that F consists of a single WF 
or SF formula, which is the only case used here. The general case is handled 
much as in the proof of Proposition 2 of [1]. In the following proof, W/SF 
denotes either WF or SF. 
Assume: 1. |= M N 

2. |= (A) v =>■ M 

3. a € S°° 

PROVE: [C{Init A a[N] v A OU[M] v A W/SF v (A))](a) = [Init A U[N] v }{a) 

(1)1. ASSUME: Vp C a : 3t : [Jhii A □ A Oa[M] v A W/SF w (^)](p-r) 
Prove: [7mi A n[N] v }(a) 
PROOF: Assumption (1) (from this step) implies that Init holds in the first 
state of a and [N] v holds in every pair of successive states of er, which 
implies {Init A D[A?"] w ](cr) by definition of □ and of {BJ for an action B. 

(1)2. Assume: 1. {Init A n[N] v ](a) 

2. p C cr 

PROVE: 3t : [Znif A □[iV] u A OD[M]„ A W/SF w (^4)](p • r) 
(2)1. Choose states so, s\, ... such that p = so, . . . , s n and, for all % > n, 
A [Enabled (A) v j( Si ) =>■ [(i4)„](« i , 
A ^[Enabled (i4) 0 ](«i) ^> = «j) 
Proof: The existence of the Sj follows from the definition of Enabled . 
(2)2. [□[M]„](« n , « n+ i,...) 
(3)1. Vi > n : [[M]„]( S „ 5 , i+1 ) 

Proof: If [Enabled (^4)„](sj), this follows from (2)1 and assump- 
tion 2. If -i[Enabled (A) v ](si), this also follows from (2)1 because 
[[M]„](s, s) holds for any state s. 
(3)2. Q.E.D. 

PROOF: (3)1 and the definitions of □ and of {BJ for an action B. 
(2)3. [W/SF 0 U)]( So , 
Proof: [QOEnabled {A) v ](s 0 , si, . . .) implies [Enabled (A) v ](si) 
for infinitely many i, which by (2)1 implies [( A) v J(si, Sj+i) for in- 
finitely many i, which implies [□O(j4)„](so ) s\, . . .). The result then 
follows from the definition of WF and SF, since -iDOEnabled (A) v is 
equivalent to OCHEnabled (A) v , which implies DO-iEnabled (A) v . 
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(2)4. [□[JV] l) ]( So , 

(3)1. Vi : {[N]v}(si,s i+1 ) 
(4)1. Assume: «' < n 

Prove: [[AT] w ](sj, 
PROOF: (2)1 and assumptions (1):1 and (1):2 (from step (1)2). 
(4)2. Assume: i > n 

Prove: l[N] v ](s i: s i+1 ) 
PROOF: By (2)2, the definition of □, and assumption 1. 
(4)3. Q.E.D. 

Proof: (4)1 and (4)2. 
(3)2. Q.E.D. 

PROOF: (3)1 and the definitions of □ and of {BJ for an action B. 
(2)5. Q.E.D. 

Proof: (2)2, (2)3, (2)4, the definition of {Initj, and the definition of 
O, taking s n , s„+i, ... for r. 
(1)3. Q.E.D. 

Proof: (1)1, (1)2, and the definition (1) of C. 

A. 3 Proof of Proposition 4 

(1)1. h Init A a[N] v \3sin{[N] v , Init) 
(2)1. |= Init => sin([N] v , Init) 

PROOF: Definition (6) of sin. 
(2)2. |= [N] v A sin([N] v , Init) sin{[N] v , Init)' 

PROOF: Definition (6) of sin. 
(2)3. h sin{[N] v ,Init) A a[N] v \3sin{[N] v , Init) 

PROOF: (2)2, assumptions 1 and 2, and proof rule INV1. 
(2)4. Q.E.D. 

PROOF: (2)1, (2)3, and assumptions 1 and 2. 
(1)2. h sin([N] v ,Init) I 

(2)1. Vs G S : lsin{[N] v ,Init)]{s) => 

3s 0 , ■ ■ ■ , s n € S : {Init A □[#]„] (s 0 , • • • , s n , s, s, s, . . .) 

Proof: Definition (6) of sin, and the definitions of □ and [N] v . 
(2)2. Vs, 5 0 , • • • , s n G S : {Init A □[AT] w ](s 0 , ...,«„,«,«,«,...)=> 

Proof: Assumption 3 and definition of □/. 
(2)3. |= sm([iV]„,/mf) ^ / 

Proof: (2)1 and (2)2. 
(2)4. Q.E.D. 
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PROOF: (2)3 and assumptions 1 and 2. 
(1)3. Q.E.D. 

Proof: (1)1, (1)2, and proof rule STL4 of [8]. 

A. 4 Proof of Proposition 5 

Let N be the set of natural numbers and let x\, . . . , x n be the free variables 
of P and N . Since [N] v = [[N] v ]( VjW ), by replacing N with [N] v and v with 
(v, xi, . . . , x n ), we can assume: 

5. v is a tuple whose components include all free variables of P and N. 

In the following proof, P n is the predicate that is true iff P can be made 
true by taking n iV-steps, but with no fewer than n such steps. 

Let: P n = if n = 0 then P 

else A Mi < n : -Pj 

A Enabled (N A (?/ / ?;) A P'„_i) 

M = iVA(Vn : P„ +i P'„) 
(1)1. h /nii A □[JV]„ D(3n : P„) 

Let: ?r(s,n) = 3s 0 , • • • , 5„ : A (s = s 0 ) A [P](s„) 

AVi<n : [JV A («V 

(2)1. V(« 0 , ) GS°° : 

[/mi A n[iV]„](so, «i, ■ ■ ■) => Vi € N : 3nGN : 7r(«j, n) 

Proof: Assumptions 3 and 4, (3) (the definition of P n (P)), and the 

definitions of C and O. 
(2)2. Vs G S, n G N : [P„](s) = tt(s, n) A (Vi < n : -.tt(js, i)) 

Proof: By induction on n from the definitions of P„, 7r, and Enabled . 
(2)3. V«€S : pn : P„](s) = (3n G N : tt(s, n)) 

Proof: (2)2. 
(2)4. |= /mf A a[N] v D(3n : P„) 

Proof: (2)1, (2)3, and the definitions of □ and {[N] v ]. 
(2)5. Q.E.D. 

Proof: (2)4, assumptions 2 and 1, and Proposition 4, since Enabled A 
is obtained by existential quantification over the primed variables of A, 
so it is expressible if A is, for any action A. 
(1)2. Assume: i£N 

Prove: h n[M] v AWF V {M) ^ (P k+1 ^ P k ) 
(2)1. \- Pk+i A [M] v P'k+i V P'k 
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PROOF: Definition of M and assumption 5 (which, by induction on k, 
implies P k+1 A (?/ = v) =>■ P'k+i)- 
(2)2. h? H1 A(M)^n 

PROOF: Definition of M. 
(2)3. h P k+ i Enabled (M) v 

(3)1. |= P k+1 => Vn / (A + 1) : -.P„ 

PROOF: Definition of P n . 
(3)2. |=P A+1 =>► (M = NAP' k ) 

PROOF: (3)1 and definition of M. 
(3)3. |= P k+ i =>■ Enabled (M) v 

PROOF: (3)2 and the definition of P k+ \. 
(3)4. Q.E.D. 

PROOF: (3)3 and assumption 1. 
(2)4. Q.E.D. 

Proof: (2)l-(2)3 and rule WF1 of [8]. 
(1)3. h OD[M]„AWF„(M) =>■ HOP 

(2)1. h □(3n : P„) A OD[M]„ A WF W (M) =>• ((3n : P„) ~» P) 

Proof: (1)2 and the Lattice Rule of [8]. 
(2)2. \- OF A (F ^ G) ^ OOG, for any temporal formulas F and G. 
PROOF: U\F A (F ~» (?) = □FAD(F^OG) Definition of ~» 

= □(FA(F^OG)) Rule STL5 of [8]. 
=>■ DOG Rule STL4 of [8]. 

(2)3. Q.E.D. 

Proof: (2)1 and (2)2. 
(1)4. Q.E.D. 

(2)1. h C(Init A n[N] v A OD[M]„ A WF„(M)) = Jhii A D[JV]„ 

PROOF: Proposition 3, since h M AT by definition of M. 
(2)2. h /nii A n[JV]„ A On[M]„ A WF W (M) =>■ C(U) A OOP 

PROOF: (1)1, (1)3, and assumption 3. 
(2)3. h C(U) =>■ C(C(n) A OOP) 

Proof: (2)1, (2)2, assumption 3, and part 2 of Proposition 1. 
(2)4. Q.E.D. 

PROOF: (2)3 and Proposition 2. 
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